Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

11/20/2017
10:30 AM
Oliver Rochford
Oliver Rochford
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

3 Ways to Retain Security Operations Staff

Finding skilled security analysts is hard enough. Once you do, you'll need to fight to keep them working for you. These tips can help.

The shortfall in security professionals, and most notably security operations center (SOC) analysts, has been well documented. However, hiring skilled security analysts is only part of the problem. Even if an organization is able to recruit security analysts, retaining them in the long term is an even greater challenge. The foundational market forces of supply and demand enable these professionals to easily jump ship, often achieving a higher salary and title in the process.

During my time at Gartner, informal feedback I received from managed security service providers (MSSP) indicated that the average retention period for a junior SOC analyst was between 12 and 18 months. It's important to bear in mind that MSSPs are generally able to offer a better career advancement path for SOC employees than most enterprises.

Nevertheless, using the right techniques, retention can be improved. Here are the top three ways to attract and retain SOC analysts.

1. Convert Roles to Duties, and Then Rotate Them
The primary roles in a SOC, with some variation, are shown in Figure 1.

Figure 1.

Role

Duties

Tier 1

Alert queue monitoring, incident qualification, triage and escalation

Tier 2

Incident investigation, remediation advice

Tier 3

Detection and use case optimization, hunting and investigation, threat intelligence analysis

The greatest mistake organizations make is defining these as fixed roles (jobs). Tier 1 work is repetitive and monotonous, and intellectually unchallenging. In addition, anyone who has ever stared at an alert console for months on end can attest to the fact that it also conditions analysts to pay less attention, which has a negative impact on effectiveness and efficiency.

Meanwhile, staff retention in Tier 2 and Tier 3 roles is higher, which results in fewer new openings and promotion opportunities for junior analysts. Once junior analysts have successfully worked in a SOC for 12 months or more, they can easily find more senior roles with another organization.

Each one of the Tier 1 through 3 roles can easily be rotated, with analysts working in each position for one-week intervals. This approach distributes both the interesting and tedious work across the team, which improves alertness and provides everyone the opportunity to perform some intellectually challenging and interesting work.

In addition to increasing retention, this rotation provides every analyst the opportunity to become familiar with the various roles required to operate a SOC. This cross-functional training helps mitigate skills gaps and maintain operational continuity if someone leaves the organization or is on paid time off.

2. Offer Phased Training and Certifications
Providing training certifications is another great retention mechanism, if offered based on employment tenure. For example, a new analyst may be offered a certification course such as the GIAC Certified Intrusion Analyst after 6 months of active employment, the GIAC Forensic Analyst after 12 months, and the GIAC Certified Forensic Examiner after 24 months.

I've used GIAC here as an example, but SANS and other companies also offer similar courses. Correctly applied, such a system can help increase analyst retention rates from 12 to 18 months to up to 5 years. Alternatively, analysts across a team can be provided different certification courses in each phase. This will ensure that the team has a broad and comprehensive skill set, and the analysts that have attended a given course can train the remainder of the team to transfer knowledge.

Figure 2. Example Training Plans

 

Employment Time

Analyst 1

Analyst 2

Analyst 3

Analyst 4

6 months

GIAC Certified Intrusion Analyst

GIAC Certified Intrusion Analyst

GIAC Certified Intrusion Analyst

GIAC Certified Intrusion Analyst

12 Months

GIAC Certified Forensic Examiner

GIAC Reverse Engineering Malware

GIAC Network Forensic Analyst

GIAC Cyber Threat Intelligence

24 Months

GIAC Reverse Engineering Malware

GIAC Network Forensic Analyst

GIAC Cyber Threat Intelligence

GIAC Certified Forensic Examiner

36 Months

GIAC Network Forensic Analyst

GIAC Cyber Threat Intelligence

GIAC Certified Forensic Examiner

GIAC Reverse Engineering Malware

48 Months

GIAC Cyber Threat Intelligence

GIAC Certified Forensic Examiner

GIAC Reverse Engineering Malware

GIAC Network Forensic Analyst

3. Offer Step-up Retention Bonuses

Offering increasing retention bonuses for each year of employment rewards analysts for their loyalty and gives them an incentive to stay with the organization. The increase from an entry-level to a midcareer level analyst is between 20% to 30%, so a good bonus strategy will ensure that a similar increase is achieved over a 3- to 5-year period.

In combination, these three strategies can significantly improve and increase SOC analyst retention, reduce the cost of recruiting and training new analysts, and minimize the negative impact of employee turnover on operations.

Related Content:

Oliver Rochford is the Vice President of Security Evangelism at DFLabs. He previously worked as research director for Gartner, and is a recognized expert on threat and vulnerability management, cybersecurity monitoring and operations management. Oliver has also been a ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Syberguy
50%
50%
Syberguy,
User Rank: Apprentice
12/7/2017 | 5:23:46 AM
Re: Timely, and yet...
I agree, but this issue has been around in other industries for some time now; Whereby employers (organizations) are more focused on the bottom line and short term gains as well as pleaseing the stakeholders and bord members than actually engaging with their internal staff. This, in addition to pay, vacation, life balance, hours of work, environment and politics, adds fuel of discontentment throught the departments.

As an industry collaborator in various fields of IT and Healthcare, I see this trend continuing, especially with the added contridiction of contract work rather than employment.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
11/27/2017 | 4:16:07 PM
Re: Excellent article - applies to a number of different jobs
@REISEN: Also, it helps people learn the business -- and, assuming other things go well in the employer-employee relationship -- gets the employee more invested in the success of the company. I've seen that phenomenon work wonders, myself.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
11/27/2017 | 4:10:13 PM
Timely, and yet...
This is a great flip on a common theme in this sector: the dreaded "talent shortage" in cybersecurity.

Alas, it is hard for information-security professionals to feel any sense of attachment or loyalty to their employers if employers don't demonstrate loyalty or attachment in turn. When companies turn to cheap offshore or H1-B/L1 Visa labor and/or outsource to low-bidding vendors for strategic functions that should really be internal, one would be foolish to expect anything other than their cybersecurity personnel to be frequently updating their resume and shopping it around.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
11/27/2017 | 1:28:39 PM
Re: Excellent article - applies to a number of different jobs
"more knowledge to learn - more stuff to do!  Paying off in many ways. "
This makes sense, when people build knowledge they feel more secure since they can find positions somewhere else easily.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
11/27/2017 | 1:26:59 PM
Re: Excellent article - applies to a number of different jobs
"I recently left a nice paying job with no future and no learning"

We experience this a lot. It is not only money anymore, people are looking for satisfaction from their jobs.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
11/27/2017 | 1:25:27 PM
Re: Excellent article - applies to a number of different jobs
" It is LEARNING new items"

Agree. Learning new things keep people busy and engaged.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
11/27/2017 | 1:23:56 PM
Re: Excellent article - applies to a number of different jobs
" it fits for any number of corporate position and not just in IT alone"

I agree with this. It is hard to keep retention rate high in IT but also in other departments in the organization today.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
11/27/2017 | 1:22:40 PM
3 simple steps
These 3 simple steps are quite well thought. Simple and effective I would say.
DonHarper
50%
50%
DonHarper,
User Rank: Apprentice
11/23/2017 | 4:44:09 PM
Re: Excellent article - applies to a number of different jobs
Great move you did there. Respect it.
REISEN1955
100%
0%
REISEN1955,
User Rank: Ninja
11/21/2017 | 8:40:47 AM
Excellent article - applies to a number of different jobs
If one takes the security aspect out of this essay, it fits for any number of corporate position and not just in IT alone.  You have to rotate staff in a department to cross-train and have people available not only for emergency fill-in when needed but for intellectual stimulation.  It is LEARNING new items that IT people and subset Security staff feel they have a good chair at the table.  Otherwise, they find another table in another restaurant.  I recently left a nice paying job with no future and no learning to move to a forensics department with far better salary BUT ALSO  more knowledge to learn - more stuff to do!  Paying off in many ways. 
Stop Defending Everything
Kevin Kurzawa, Senior Information Security Auditor,  2/12/2020
Small Business Security: 5 Tips on How and Where to Start
Mike Puglia, Chief Strategy Officer at Kaseya,  2/13/2020
5 Common Errors That Allow Attackers to Go Undetected
Matt Middleton-Leal, General Manager and Chief Security Strategist, Netwrix,  2/12/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-20477
PUBLISHED: 2020-02-19
PyYAML 5.1 through 5.1.2 has insufficient restrictions on the load and load_all functions because of a class deserialization issue, e.g., Popen is a class in the subprocess module. NOTE: this issue exists because of an incomplete fix for CVE-2017-18342.
CVE-2019-20478
PUBLISHED: 2020-02-19
In ruamel.yaml through 0.16.7, the load method allows remote code execution if the application calls this method with an untrusted argument. In other words, this issue affects developers who are unaware of the need to use methods such as safe_load in these use cases.
CVE-2011-2054
PUBLISHED: 2020-02-19
A vulnerability in the Cisco ASA that could allow a remote attacker to successfully authenticate using the Cisco AnyConnect VPN client if the Secondary Authentication type is LDAP and the password is left blank, providing the primary credentials are correct. The vulnerabilities is due to improper in...
CVE-2015-0749
PUBLISHED: 2020-02-19
A vulnerability in Cisco Unified Communications Manager could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack on the affected software. The vulnerabilities is due to improper input validation of certain parameters passed to the affected software. An attacker ...
CVE-2015-9543
PUBLISHED: 2020-02-19
An issue was discovered in OpenStack Nova before 18.2.4, 19.x before 19.1.0, and 20.x before 20.1.0. It can leak consoleauth tokens into log files. An attacker with read access to the service's logs may obtain tokens used for console access. All Nova setups using novncproxy are affected. This is rel...